![]() |
full disk encryption with luks on manjaro xfce - Printable Version +- PINE64 (https://forum.pine64.org) +-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111) +--- Forum: Pinebook Pro Tutorials (https://forum.pine64.org/forumdisplay.php?fid=117) +--- Thread: full disk encryption with luks on manjaro xfce (/showthread.php?tid=9052) |
full disk encryption with luks on manjaro xfce - limxr - 02-06-2020 This recipe is for a manjaro xfce pinebook pro image installed to an sdcard. This recipe may work with other manjaro pinebook pro images. First I created a separate partition for /boot that remained unencrypted. Second, I encrypted the existing root / installation using luks. I used debian os installed to emmc of pinebook pro, any os that supports luks should work (the default os on pinebook pro does not support luks). You may want to make sure to have a good backup first in case something goes wrong. Code: =================================== RE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020 Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line. after some time modules will start to time out not being able to find firmware so I don't think my text is being entered in the right space. Any thoughts? RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020 (02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line. It sounds like the boot process did not wait for the password prompt but just continued. Do you have rootwait set as a bootarg? I've attached my boot.txt to see as example. RE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020 (02-17-2020, 01:59 PM)limxr Wrote:(02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line. I do at that and agree that is what it sounds like, heres mine: setenv macaddr da 19 c8 7a 6d f4 part uuid ${devtype} ${devnum}:${bootpart} uuid setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=bc3791fa-01e0-471d-9ace-a7cae5035c15:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60 setenv fdtfile rockchip/rk3399-pinebook-pro.dtb if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then fdt addr ${fdt_addr_r} fdt resize fdt set /ethernet@fe300000 local-mac-address "[${macaddr}]" if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then # This upstream Uboot doesn't support compresses cpio initrd, use kernel option to # load initramfs setenv bootargs ${bootargs} initrd=${ramdisk_addr_r},20M ramdisk_size=10M fi; booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r}; fi; fi RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020 (02-17-2020, 02:15 PM)JaceAlvejetti Wrote:(02-17-2020, 01:59 PM)limxr Wrote:(02-17-2020, 10:43 AM)JaceAlvejetti Wrote: Followed the directions, in the end I reboot to a screen that does ask for my password but when I type its entered into the line below it in plain text, hitting enter doesn't do anything but move to the next line. That boot.txt looks fine. I wonder if the initram was generated correctly with mkinitcpio -P when booted to manjaro sd before you encrypted the root partition? From a linux os you could use cryptsetup to open the root partition on the sdcard, mount it, and check the etc/mkinitcpio.conf to make sure all the modules and hooks are loaded in order and the compression set to "cat". If you need to generate initram again you can probably do so from an arch/manjaro os just make sure the mkinitcpio -P command is using options to point to the sdcard and not the booted os. Another way you could do this is to decrypt the root partion on sdcard (cryptsetup-reencrypt /dev/mmcblk1p2 --decrypt) then change boot.txt back to non-luks configuration so you can boot into sdcard again. RE: full disk encryption with luks on manjaro xfce - JaceAlvejetti - 02-17-2020 I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question. I didn't match the order per the instructions just made sure the items were there guessing that matters from what you said, I am going to restore my backup and I'll do it again. Thanks! RE: full disk encryption with luks on manjaro xfce - limxr - 02-17-2020 (02-17-2020, 05:48 PM)JaceAlvejetti Wrote: I backed up prior to doing the encryption, So that's likely where I broke it and here comes my question. Yes the order for the HOOKS in mkinitcpio.conf definitely matters, not sure about the MODULES but probably safest just to follow order in recipe. RE: full disk encryption with luks on manjaro xfce - e-minguez - 02-18-2020 Has anyone being able to do this but for the eMMC? Thanks RE: full disk encryption with luks on manjaro xfce - as400 - 02-19-2020 @e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro. RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-04-2020 (02-19-2020, 08:03 AM)as400 Wrote: @e-minguez I have luks + lvm on nvme drive. But I was never able to make it work with mkinitcpio generated initrd. I use dracut for creating initrd and extlinux.conf for booting on Manjaro. I'm trying to make this work out of the box in the manjaro installer here https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer/-/issues/4 but even if I think it should work, it doesn't. Could you please take a look to see if I'm missing something? Thanks. |